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Abstract 

A notion of generalized regular expressions for a large class of systems modeled 
as coalgebras, and an analogue of Kleene's theorem and Kleene algebra, were 
recently proposed by a subset of the authors of this paper. Examples of the sys- 
tems covered include infinite streams, deterministic automata, Mealy machines 
and labelled transition systems. In this paper, we present a novel algorithm to 
decide whether two expressions are bisimilar or not. The procedure is imple- 
mented in the automatic theorem prover CIRC, by reducing coinduction to an 
entailment relation between an algebraic specification and an appropriate set of 
equations. We illustrate the generality of the tool with three examples: infinite 
streams of real numbers, Mealy machines and labelled transition systems. 



1. Introduction 

Regular expressions and finite deterministic automata (DFA's) constitute 
two of the most basic structures in computer science. Kleene's theorem [io| 
gives a fundamental correspondence between these two structures: each regu- 
lar expression denotes a language that can be recognized by a DFA and, con- 
versely, the language accepted by a DFA can be specified by a regular expression. 
Languages denoted by regular expressions are called regular. Two regular ex- 
pressions are (language) equivalent if they denote the same regular language. 
Salomaa 12 ll presented a sound and complete axiomatization (later refined by 
Kozen in [UiUj) for proving the equivalence of regular expressions. 



The above programme was applied by Milner in 15[ to process behaviours 



and labelled transition systems (LTS's). Milner introduced a set of expressions 
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for finite LTS's and proved an analogue of Kleene's Theorem: each expression 
denotes the behaviour of a finite LTS and, conversely, the behaviour of a fi- 
nite LTS can be specified by an expression (modulo bisimilarity). Milncr also 
provided an axiomatization for his expressions, with the property that two ex- 
pressions are provably equivalent if and only if they are bisimilar. 

Coalgebras arose in the last decade as a suitable mathematical framework to 
study state-based systems, such as DFA's and LTS's. For a functor 9 : Set — > 
Set, a 9-coalgebra or 9-system is a pair (S,g), consisting of a set 5 of states 
and a function g: 5 — > 9(5) defining the "transitions" of the states. We call the 
functor S the type of the system. For instance, DFA's can be readily seen to 
correspond to coalgebras of the functor 9(5) = 2 x S A and image-finite LTS's 
are obtained by 9(5) = 0^(5) A , where 0^ is finite powerset. 

For coalgebras of a large class of functors, a language of regular expressions, 
a corresponding generalization of Kleene's theorem, and a sound and complete 
axiomatization for the associated notion of behavioral equivalence were intro- 
duced in [23| . Both the language of expressions and their axiomatization were 
derived, in a modular fashion, from the functor defining the type of the system. 

Algebra and related tools can be successfully used for reasoning on properties 
of systems. In this paper, we present a novel method for checking for bisimilarity 
of generalized regular expressions using the coinductive theorem prover CIRC [5, 



17| . The main novelty of the method lies on the generality of the systems it can 



handle. CIRC is a metalanguage application implemented in Maude [J], and its 
target is to prove properties over infinite data structures. It has been successfully 
used for checking the equivalence of programs, and trace equivalence and strong 
bisimilarity of processes. The tool may be tested online and downloaded from 
https : //f mse . inf o .uaic . ro/tools/C irc"7| 

Determining whether two expressions are equivalent is important in order 
to be able to compare behavioral specifications. In the presence of a sound and 
complete axiomatization one can determine equivalence using algebraic reason- 
ing. A coalgebraic perspective on regular expressions has however provided 
a more operational/algorithmic way of checking equivalence: one constructs a 
bisimulation relation containing both expressions. The advantage of the bisimu- 
lation approach is that it enables automation since the steps of the construction 
are fairly mechanic and require almost no ingenuity. 

We remark that in theory it has been shown that both problems are in 



PSPACE [13|,|25j, but in practice bisimulation checking tends to be easier. We 
illustrate this with an example, to give the reader the feeling of the more al- 
gorithmic nature of bisimulation. We want to stress however that we are not 
underestimating the value of an algebraic treatment of regular expressions: on 
the contrary, as we will show later, the axiomatization plays an important role 
in guaranteeing termination of the bisimulation construction and is therefore 
crucial for the main result of this article. 

We show below a proof of the sliding rule: a(ba)* = (ab)*a. The algebraic 
proof, using the rules and equations of Kleene algebra, needs to show the two 
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containments 



a(ba)* < (ab)*a and (ab)*a < a(ba)* 

and it requires some ingenuity in the choice of the equation applied in each step. 
We show the proof for the first inequality, the other would follow a similar proof 
pattern. 

a(ba)* < (ab)*a 
<= a + (ab)*a(ba) < (ab)*a right-star rule 
<^=> (1 + (ab)*ab)a < (ab)*a associativity and distributivity 
•<=>■ (ab)*a < (ab)*a right expansion rule: 1 + r*r = r* 

For the coalgebraic proof, we build incrementally, and rather mechanically, 
a bisimulation relation containing the pair (a(ba)*, (ab)*a). We start with the 
pair we want to prove equivalent and then we close the relation with respect 
to syntactic language derivatives, also known as Brzozowski derivatives. In the 
current example, the bisimulation relation would contain three pairs: 

R = {(a(ba)*, (ab)*a), ((ba)* , b{ab)* a + 1), (0, 0)} 

where 1 and are, respectively, the regular expressions denoting the empty 
word and the empty language. In constructing this relation, no decisions were 
made, and hence the suitability of bisimulation construction as an automatic 
technique to prove equivalence of regular expressions. 

The main contributions of this paper can be summarized as follows. We 
present a decision procedure to determine equivalence of generalized regular 
expressions, which specify behaviours of many types of transition systems, in- 
cluding Mealy machines, labelled transition systems and infinite streams. The 
valid expressions for each system are type-checked automatically in the tool. We 
illustrate the decision procedure we devised by applying it to several examples. 
As a vehicle of implementation, we choose CIRC, a coinductive theorem prover 
which has already been explored for the construction of bisimulations. To ease 
the implementation in CIRC, we present the algebraic specifications' counterpart 
of the coalgebraic framework of the generalized regular expressions mentioned 
above. This enables us to automatically derive algebraic specifications that 
model the language of expressions, and to define an appropriate equational en- 
tailment relation which mimics our decision procedure for checking behavioural 
equivalence of expressions. The implementation of both the algebraic specifica- 
tion and the entailment relation in CIRC allows for automatic reasoning on the 
equivalence of expressions. 

The present paper is an extended version of the conference paper Q. In 
comparison with the aforementioned paper we have extended the tool to deal 
with non-deterministic systems. More precisely, we have included the powerset 
function in the class of functors considered. Moreover, we have included all the 
proofs, more examples and additional explanations on the theory behind and 
implementation of the tool. 
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Organization of the paper. Section [5] recalls the basic definitions of the language 
associated to a non-deterministic functor. Section [3] describes the decision pro- 
cedure to check equivalence of regular expressions. Section 0] formulates the 
aforementioned language as an algebraic specification, which paves the way to 
implement in CIRC the procedure to decide equivalence of expressions. The 
implementation of the decision procedure and its soundness are described in 
Section [5l In Section [6] we show, by means of several examples, how one can 
check bisimilarity, using CIRC. Section[7]contains concluding remarks and point- 
ers for future work. 



2. Regular Expressions for Non-deterministic Coalgebras 

In this section, we briefly recall the basic definitions in [23| ■ 
Let Set denote the category of sets (represented by capital letters X,Y, . . .) 
and functions (represented by lower case letters f,g,...). We write Y x for the 
family of functions from X to Y and l ? ul (X) for the collection of finite subsets of a 
set X. The product of two sets X, Y is written aslx7 and has the projections 
functions tti and tt 2 : lAXxrAr. We define X <3> Y = X W Y W {_L, T} 
where ttl is the disjoint union of sets, with injections X — i> X fcfcl Y 4^- Y . 
Note that the set X 4> Y is different from the classical coproduct of X and Y 
(which we shall denote by X + Y), because of the two extra elements _!_ and T. 
These extra elements are used to represent, respectively, underspecification and 
inconsistency in the specification of some systems. 

For each of the operations defined above on sets, there are analogous ones 
on functions. Let / : X —> Y , A : X — > Y and f 2 : Z — !> W. We define the 
following operations: 

fix / 2 : X x Z -+Y xW A 4> f 2 : X <3> Z ->• Y <$>W 

(A x f 2 )(x,z) = (f 1 (x)J 2 (z)) (A ♦ /a)(c) = c, ce{l,T} 

(fl^f2)(K i (x)) = K i (f i (x)), i £ 172 

f A :X A ^Y A Z(f):Z(X)^Z(Y) 

f A (g) = fog = {y^Y\ f(x) =y,xG X,} 

Remark 1. For the sake of brevity, we use the notation i S l,n as a shorthand 
for i £ {1, . . . , n}. 

Note that in the definition above we are using the same symbols that we 
defined above for the operations on sets. It will always be clear from the context 
which operation is being used. 

In our definition of non-deterministic functors we will use constant sets 
equipped with an information order. In particular, we will use join-semilattices. 
A (bounded) join-semilattice is a set B equipped with a binary operation Vb and 
a constant J_b £ B, such that Vb is commutative, associative and idempotent. 
The element _I_b is neutral with respect to Vb- As usual, Vb gives rise to a 
partial ordering <b on the elements of B: b\ <b b 2 b\ Vb b 2 = b 2 - Every set 
S can be mapped into a join-semilattice by taking B to be the set of all finite 
subsets of S with empty set as _Lb, and union as join. 
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Coalgebras. A coalgebra is a pair (S, g: S — > 9(5)), where S is a set of states 
and 9: Set — > Set is a functor. The functor 9, together with the function g, 
determines the transition structure (or dynamics) of the 9-coalgebra (20j . 
A coalgebra (5, 5) is finite if 5* is a finite set. 

Definition 1 (Bisimulation). Let (S,f) and (T, g) be two S-coalgebras. We 
call a relation SC5xTa bisimulation [9( iff 

(M)efl =*►(/(*), ff (t))eS(fl) 

where 9(i?) is defined as 9(i?) = {(g(?ri)(a;), S(vr 2 )(z)) | a: G 9(i?)}. 

We write s ~g i whenever there exists a bisimulation relation containing 
(s, t) and we call ~g the bisimilarity relation. It is of interest to remark that 
the relation ~g is an equivalence relation. We shall drop the subscript 9 when- 
ever the functor 9 is clear from the context. In the literature, one finds different 
definitions of bisimulation or behavioral equivalence [24[ . For the class of func- 
tors we consider here the different notions coincide and therefore we will not 
discuss them. 

Non-deterministic functors. They are functors 9 : Set — > Set built induc- 
tively from the identity, and constants, using x, <£, (— ) A and 

NDF35::= \d\B\S<S>5\5x5\S A \%S (1) 

where B is a finite join-scmilattice and A is a finite set. Typical examples of 
non-deterministic functors include § = B x Id, M = (B x ld) A , T> = 2 x \d A , 
Q = (1 $ \d) A , N = 2x %{\d) A and L = 1 <3> Z(\d) A . These functors represent, 
respectively, the type of streams, Mealy, deterministic, partial deterministic 
automata, non-deterministic automata and labeled transition systems with ex- 
plicit termination. S-bisimulation is stream equality, whereas D-bisimulation 
coincides with language equivalence. 

Remark 2. As stated in W& l, the use of join-semilattices for constant functors 
and the sum 4> instead of the ordinary product enabled the use of underspec- 
ification and inconsistency (i.e., T and _L ; respectively) in the specification of 
systems, and moreover, has allowed the whole framework to be studied in the 
category Set. Even though under specification and inconsistency can be captured 
by a semilattice structure, and the axiomatization provides the set of expres- 
sions with a join- semilattice structure (therefore allowing the work directly in 
the category of join-semilattices), remaining in the category Set was chosen for 
simplicity. 

Next, we give the definition of the ingredient relation, which relates a non- 
deterministic functor 9 with its ingredients, i.e., the functors used in its induc- 
tive construction. We shall use this relation later for typing our expressions. 
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Definition 2. Let < C NDF x NDF be the least reflexive and transitive rela- 
tion on non-deterministic functors such that 

Si«Sixg 2 , S 2 <9ixg 2 , 9i<Si^S2, S 2 <Si^S 2 , 3<S A , S<3LS- 

Here and throughout this document we use f <\ 3 as a shorthand for (If, 3) 6 <]. 
If 5F < 9, then 5" is said to be an ingredient of 3- For example, 2, Id, Id" 4 and D 
itself are all the ingredients of the deterministic automata functor D. 



A language of regular expressions for non-deterministic coalgebras. 

We now associate a language of expressions Expg with each non-deterministic 
functor 3- 

Definition 3 (Expressions). Let A be a finite set, B a finite join-semilattice 
and X a set of fixed-point variables. The set Exp of all expressions is given by 
the following grammar, where a G A, b G B and x E X: 

e ::= a; | e © e | 7 (2) 

where 7 is a guarded expression given by: 

7 ::= i\j®j\/J,x.j\b\l(e)\r{e)\l[e]\r[e]\a(e)\{e} (3) 

In the expression (J<x.y, fj. is a binder for all the free occurrences of x in 7. 
Variables that are not bound are free. A closed expression is an expression 
without free occurrences of fixed-point variables x. We denote the set of closed 
expressions by Exp c . 

The language of expressions for non-deterministic coalgebras is a general- 
ization of the classical notion of regular expressions: 0, e\ © £2 and /ix.7 play 
similar roles to the regular expressions denoting empty language, the union of 



languages and the Kleene star. Moreover, note that, not unexpectedly, in [23| . 
© was axiomatized as an associative, commutative and idempotent operator, 
with as a neutral element. The expressions 1(e), r(e), l[e], r[e], a(e) and {e} 
specify the left and right hand-side of products and sums, function application 
and singleton sets, respectively. Next, we present a type assignment system for 
associating expressions to non-deterministic functors. This will allow us to as- 
sociate with each functor Q the expressions e G Exp c that are valid specifications 
of S-coalgcbras. 

Definition 4 (Type system). We now define a typing relation h C Exp x 
NDF x NDF that will associate an expression e with two non-deterministic 
functors J and S, which are related by the ingredient relation (5F is an ingredient 
of S). We shall write he: J < 3 for (e, J, 3) G h The rules that define h arc 
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the following: 



(6 e B) (x G X) 

V- 0: J< S h 6: B < S hi:5<S 



h/ix.e:S<]S hei©e2:9 r <9 he: Id < 9 

h e : J 2 < S h e : J <3 g h e : Ji < 9 

J ( a G 4) 

h r[e] : 3"i <3> J 2 < S I- o(e) : J A < S h 1(e) : 3"i x ? 2 < S 



hr(e):JixJ 2 <S h l[e] : 9"i ❖ J 2 < S h {e} : & Ji < S 

We can now formally define the set of 9-cxpressions: well-typed expressions 
associated with a non-deterministic functor S- 

Definition 5 (S-expressions). Let S be a non-deterministic functor and 5" an 
ingredient of S- We define Exp 3 r <g by: 

Exp^ s = {e G Exp c | he: J<g}. 

We define the set Expg of well-typed expressions by Expg^g. 

In [23I ] , it was proved that the set of S-expressions for a given non-deterministic 
functor S has a coalgebraic structure: 

S3 : Exp s S(Expg) 

More precisely, in (2^1 , which we refer to for the complete definition of <5g, the 
authors defined a function <5^<g : Expgr^g — > ^(Expg) and then set 5c, = <5g<ig. 

The coalgebraic structure on the set of expressions enabled the proof of a 
Klcene like theorem. 

Theorem 1 (Kleene's theorem for non-deterministic coalgebras). Let S 

be a non- deterministic functor. 

1. For any e G Expg, there exists a finite %-coalgebra (S,g) and s £ S such 
that e ~ s. 

2. For every finite Q-coalgebra (S,g) and s G S there exists an expression 
e s G Expg such that s s ~ s. 

In order to provide the reader with intuition over the notions presented 
above, we illustrate them with an example. 

Example 1. Let us instantiate the definition of S- expressions to the functor 
of streams S = B x Id (the ingredients of this functor are B, Id and § itself). 
Let X be a set of (recursion or) fixed-point variables. The set Exp s of stream 
expressions is given by the set of closed, guarded expressions generated by the 
following BNF grammar. For x <E X : 

Exp s 9e::=0|e©e| fix.e \ x | 1(t) \ r(e) . 

t ::=%\b\T®T W 



7 



Intuitively, the expression 1(b) is used to specify that the head of the stream is 
b, while r(e) specifies a stream whose tail behaves as specified by e. For the 
two element join-semilatticc B = {0, 1} (with _I_b = 0) examples of well-typed 
expressions include 0, 1(1) © r(l{®)) and ^ix.r(x) © 1(1). The expressions l[l], 
1{1) © 1 and \ix. 1 are examples of non well-typed expressions for S, because the 
functor § does not involve <$■, the subexpressions in the sum have different type, 
and recursion is not at the outermost level (1 has type B < §), respectively. 

By applying the definition in [23| , the coalgebra structure on expressions 6$ 
would be given by: 

S$ : Expg ->Bx Expg 
«5 S (0) = (± B ,0) 

<5s(ei©£2) = (&iV& 2 ,£i©4) where (&,-, e£) i€l,2 
5s(^x.e) = S s (e[fix.e/x]) 
8$(1(t)) = <<W(r),0) 

Ss(r{e)) = (± B ,e) 

^B< S (0) = 

SB<s(b) = b 

<Sb<s(t®t') = S B< s(r) V(5 B <s(r') 

The proof of Kleene's theorem provides algorithms to go from expressions to 
streams and vice-versa. We illustrate it by means of examples. 
Consider the following stream: 




We draw the stream with an automata-like flavor. The transitions indicate the 
tail of the stream represented by a state and the output value the head. In 
a more traditional notation, the above automata represents the infinite stream 
(1,0,1,0,1,0,1,...). 

To compute expressions si, £2 and £3 equivalent to si, S2 and S3 we associate 
with each state Si a variable Xi and get the equations: 

£1 = iixi.l(l) © r(x 2 ) £2 = nx 2 .l(0) © r(x 3 ) £3 = (1x3 .1(1) © r(x 2 ) 

As our goal is to remove all the occurrences of free variables in our expressions, 
we proceed as follows. First we substitute x 2 by £2 in £1, and x 3 by £3 in £2, 
and obtain the following expressions: 

£1 = iix x .l(V) © r(e 2 ) £2 = IJ,x 2 .l(0) © r(e 3 ) 

Note that at this point £1 and £ 2 already denote closed expressions. Therefore, 
as a last step, we replace x 2 in £ 3 by £2 and get the following closed expressions: 

£1 = ^i./(l)ffir(£ 2 ) £ 2 = fJ.x 2 .l(0)®r(e s ) e 3 = /j,x 3 .l(l)®r((j.x 2 .l(0)®r(x 3 )) 



satisfying, by construction, e\ ~ s\, £2 ~ S2 and £3 ~ S3. 

For the converse construction, consider the expression e = (/j,x.r(x)) © 
We construct an automaton by repeatedly applying the coalgebra structure on 
expressions Sg, modulo associativity, commutativity and idempotence (ACI) of 
© in order to guarantee finiteness. 

First, note that 6g(fxx.r{x)) = 6§(r(iJ,x.r{x))) = (-Lb, fix.r(x)). Applying 
the definition of Ss above, we have: 

S s {e) = (1, (fix.r{x)) © 0) and 8§((/j,x.r(x)) ©0) = (0, (fix.r(x)) ©0) 

which leads to the following stream (automaton): 

(e) {(yx.rjx)) 

1 

At this point, we want to remark that the direct application of S§, without 
ACI, might generate infinite automata. Take, for instance, the expression e = 
fj,x.r(x®x) . Note that S§(^ix.r(x®x)) = (0, effie), S s (e®e) = (0, (£©£)©(£©£)}, 
and so on. This would generate the infinite automaton 





(£©£)©(£© e) 


1 ► 






V 





ie © £ 

— ¥ 


instead of the intended, simple and very finite, automaton 



In order to guarantee finiteness, one needs to identify the expressions modulo 
associativity, commutativity and idempotence (ACI), as we will discuss further 
in this paper. Moreover, the axiom £©0 = could also be used in order to 
obtain smaller automata, but it is not crucial for termination. 

Throughout the paper, we will often use streams as a basic example to 
illustrate the definitions. It should be remarked that the framework is general 
enough to include more complex examples, such as deterministic automata, 
automata on guarded strings, Mealy machines and labelled transition systems. 
The latter two will be used as examples in Section [6] 



3. A Decision Procedure for the Equivalence of Generalized Regular 
Expressions 

In this section, we briefly describe the decision procedure to determine 
whether two expressions are equivalent or not. 

The key observation is that point 1 . of Theorem [1] above guarantees that 
each expression in the language for a given system can always be associated to 
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a finite coalgebra. Given two expressions E\ and £2 in the language Exp g of a 
given functor S we can decide whether they are equivalent by constructing a 
finite bisimulation between them. This is because the finite coalgebra generated 
from an expression contains precisely all states that one needs to construct the 
equivalence relation. Even though this might seem like a trivial observation, it 
has very concrete consequences: for (all well-typed) generalized regular expres- 
sions we can always either determine that they are bisimilar, and exhibit a proof 
in the form of a bisimulation, or conclude that they are not bisimilar and pin- 
point the difference by showing why the bisimulation construction failed. Hence, 
we have a decision procedure for equivalence of generalized regular expressions. 

We will give the reader a brief example on how the equivalence check works. 
Further examples, for different types of systems, including examples of non- 
equivalence, will appear in Section [6l 

We will show that the stream expressions £1 = fix.r(x) © 1(0) and £2 = 
r(/j,x.r(x) © ^(0)} © 1(0) are equivalent. In order to do that, we have to build a 
bisimulation relation 1Z on expressions for the stream functor S, defined above, 
such that (£i,£2) G 1Z. Wc do this in the following way: we start by taking 
1Z = {(si, £2)} and we check whether this is already a bisimulation, by applying 
5s to each of the expressions and checking whether the expressions have the 
same output value and, moreover, that no new pairs of expressions (modulo 
associativity, commutativity and idempotence, for more details see page B5| 
appear when taking transitions. If new pairs of expressions appear we add 
them to 1Z and repeat the process. Intuitively, for this particular example, the 
transition structure can be depicted as follows: 



£1 



K 



£2 7^={(£i,£ 2 )} 



not yet in 7Z\ add it 
£l : £l TZ = {(£i,£ 2 ), (£l,£l)} 



£l 



K 



Si 



Figure 1: Bisimulation construction 



Here, we omit the output values of the expressions, which are all 0. In 

the figure above, we use the notation £1 £2 to denote (£i,£2) € 1Z. As 

illustrated in Figure[TJ 1Z = {(£1,82), (£2, £2)} is closed under transitions and is 
therefore a bisimulation. Hence, £1 and £2 are bisimilar and specify the same 
infinite stream (concretely, the stream with only zeros) . 
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4. An Algebraic View on the Coalgebra of Generalized Regular 
Expressions 

Recall that our goal is to reason about equality of generalized regular expres- 
sions in a fully automated manner. As we showed in the introduction, obtaining 
this equality can be achieved in two distinct ways: either algebraically, reason- 
ing with the axioms, or coalgebraically, by constructing a bisimulation relation. 
The latter, because of its algorithmic nature, is particularly suited for automa- 
tion. Automatic constructions of bisimulations have been widely explored in 
CIRC and we will use this tool to implement our algorithm. This section con- 
tains material that enables us to soundly use CIRC. We want to stress however 
that the main result of the paper is the description of a decision procedure to 
determine whether two expressions are equivalent or not. This procedure in 
turn could be implemented in any other suitable tool or even as a standalone 
application. Choosing CIRC was natural for us, given the pre-existent work on 
bisimulation constructions. In Section[5l we show that the process of generating 
the S-coalgebras associated to expressions by repeatedly applying <5g and nor- 
malizing the expressions obtained at each step is closely related to the proving 
mechanism already existent in CIRC. 

In Section [21 we have introduced a (theoretical) framework which, given a 
functor S, allows for the uniform derivation of 1) a language Exp g for specifying 
behaviors of S-systems, and 2) a coalgcbraic structure on Expg, which provides 
an operational semantics to the set of expressions. In this context, given that 
CIRC is based on algebraic specifications, we need two things in order to reach 
our final goal: 

• extend and adapt the framework of Section [2] in order to enable the im- 
plementation of a tool which allows the automatic derivation of algebraic 
specifications that model 1) and 2) above, to deliver to CIRC; 

• provide a decision procedure, implemented in CIRC based on an equational 
entailment relation, in order to check bisimilarity of expressions. 

In the rest of the paper we will present the algebraic setting for reasoning on 
bisimilarity of generalized regular expressions. A brief overview on the paral- 
lel between the coalgcbraic concepts in [23| and their algebraic correspondents 
introduced in this section is provided later, in Figure [5J 

Algebraic specifications. An algebraic specification is a triple £ = (S, S, E), 
where S is a set of sorts, S is a S-sorted signature and E is a set of conditional 
equations of the form (\/X)t = t' if (Aiej u « = v i)i where t, t', Ui, and Vi 
(i € I — a set of indices for the conditions) are S- terms with variables in A. We 
say that the sort of the equation is s whenever t,t' £ 7s, s (A). Here, Th, s (X) 
denotes the set of terms of sort s of the S-algebra freely generated by A. If 
/ = {} then the equation is unconditional and may be written as (VA) t = t' . 

Let h be the equational entailment (deduction) relation defined as in Q. For 
consistency reasons, we write £ h e whenever equation e is deducible from the 
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equations E in £ by reflexivity, symmetry, transitivity, congruence or substitu- 
tivity (i.e., whenever E h e). 

In this paper, the algebraic specifications of coalgcbras of generalized regular 
expressions are built on top of definitions based on grammars in Backus-Naur 
form (BNF) such as ([T]) and ©. Therefore, in what follows, we introduce the 
general technique for transforming BNF notations into algebraic specifications. 

From BNF grammars to algebraic specifications. The general rule used 
for translating definitions based on BNF grammars into algebraic specifications 
is as follows: each syntactical category and vocabulary is considered as a sort and 
each production is considered as a constructor operation or a subsort relation. 

For instance, according to the grammar ([T]) of non-deterministic functors, 
we have a sort SltName - representing the vocabulary of join-semilattices B, 
a sort AlphName - for the vocabulary of the alphabets A, a sort Functor 
associated to the syntactical category of the non-deterministic functors 9, a 
subsort relation SltName < Functor representing the production 9- = B, and 
constructor operations for the other productions. 

Generally, each production A ::= rhs gives rise to a constructor (rhs) — > (A), 
the direction of the arrow being reversed. For instance, for grammar ([T]), the pro- 
duction 9 "= Id is represented by a constant (miliary operation) Id: — > Functor, 
and the sum construction by the binary operation _ : Functor Functor — > 
Functor. 

Remark 3. Note that the above mechanism for translating BNF grammars into 
algebraic specifications makes use of subsort relations for representing produc- 
tions such as S-= B. This is because CIRC works with order-sorted algebras, 
and we want to keep the algebraic specifications of non- deterministic functors as 
close as possible to their implementation in CIRC. However, order-sorted alge- 
bras can be reduced to many-sorted algebras 0/, where a subsort relation s < s' 
is modeled by an inclusion operation c s>s i :s — > s' . This way, even if we use 
order-sorted algebras, we remain in the framework of circular coinduction. 

The algebraic specifications of coalgebras of generalized regular expressions 
arc defined in a modular fashion, based on the specifications of: 

• non-deterministic functors (9); 

• generalized regular expressions (e G Exp g ); 

• "transition" functions (<5g); 

• "structured" expressions (a £ ^(Expg), for all SF ingredients of 9)- 

Moreover, recall that for a non-deterministic functor 9, bisimilarity of 9- 
expressions is decided based on the relation lifting 9 over "structured" expres- 
sions in 9(Exp g ) (Definition [l| . Therefore, the deduction relation h has to be 
extended to allow a restricted contextual reasoning over "structured" expres- 
sions in S'(Expg), for all ingredients 3^ of 9- 
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The aforementioned algebraic specifications and the extension of h are mod- 
eled as follows. 

The algebraic specification of a non-deterministic functor S. It in- 
cludes: 

• the translation of the BNF grammar (fTJ), as presented above; 

• the specification of the functor ingredients, given by a sort Ingredient and a 
constructor _<i_: Functor Functor — > Ingredient (according to Definition [5]) ; 

• the specification of each alphabet A = {ai, . . . , a n } occurring in the def- 
inition of 9: this consists of a subsort A < Alph, a constant af. —> A for 
i £ l,n, and a distinguished constant A of sort AlphName used to refer 
the alphabet in the definition of the functor; 

• the specification of each semilattice B = ({61, . . . , b n }, V, _Lg) occurring in 
the definition of S: this consists of a subsort B < Sit, a constant &;: — » B 
for i £ l,n, a distinguished constant B of sort SltName used to refer 
the corresponding semilattice in the definition of the functor, and the 
equations defining V and (this should be one of bi); 

• an equation defining 9 (as a functor expression). 

The algebraic specification of generalized regular expressions. It con- 
sists of: 

• (according to the BNF grammar in Definition [3]) a sort Exp represent- 
ing expressions e, FixpVar the sort for the vocabulary of the fixed-point 
variables, and Sit the sort for the elements of semilattices. Moreover, we 
consider constructor operations for all the productions. For example, the 
production £::=£©£ is represented by an operation _©_ : Exp Exp — > Exp, 
and e ::= /ix.7 is represented by : FixpVar Exp — > Exp. (We chose not 
to provide any restriction to guarantee that 7 is a guarded expression, at 

this stage in the definition of /j However, guards can be easily checked 

by pattern matching, according to the grammars in Definition [3|) ; 

• the specification of the substitution of a fixed-point variable with an ex- 
pression, given by an operation _[_/_] : Exp Exp FixpVar — > Exp and a set 
of equations - one for each constructor. For example, the equations as- 
sociated to and © are: ®[e/x] = 0, and respectively, (£1 © E2)[e/x] = 
(e\ [e/x] ) © (£2 [s/x] ) , where e, £1, £2 are S-expressions and a; is a fixed-point 
variable; 

• the specification of the type-checking relation in Definition |H given by an 
operation _ : _ : Exp Ingredient — > Bool and an equation for each inference 
rule defining this relation. For example the rule 

\-ei:3 r <5 l-e 2 :3 r <ig 
I- £1 ffi e 2 : J< S 
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is represented by the equation £1 © e 2 : 3^ <5 = £i- 3 <5 A £2 : $ < S- The 
type-checking operator is used in order to verify whether the expressions 
checked for equivalence are well- typed (Definition [5]). Moreover, note that 
for the consistency of notation, algebraically we write e : 5" < S to represent 
expressions e of type 5"< S- 



The algebraic specification of 8g. It consists of: 

• the specification of the coalgebra of 9-cxprcssions 5c, given by three oper- 
ations £_(_): Ingredient Exp — > ExpStruct, Empty: Ingredient — > ExpStruct, 
and Plus-(-, _): Ingredient ExpStruct ExpStruct — ► ExpStruct; 

• a set of equations describing the definitions of these operations as in [23| . 



The algebraic specification of structured expressions. As mentioned 
above, the set of S-exprcssions is provided with a coalgcbraic structure given 
by the function Sc, : Exp g — > S(Exp g ), where S(Exp g ) can be understood as the 
set of expressions with structure given by S (and its ingredients). The set of 
structured expressions is defined by the following grammar: 

a ::= e \ b \ (a,a) \ h(a) \ k 2 (a) \±\T\ \.(a,3 r < S, <r) | {a} (5) 

where e G Exp g and b G B. The typing rules below give precise meaning to these 
expressions. Note that _L, T are two expressions coming from S = Si ^ S2; used 
to denote undcrspecification and overspecification, respectively. 
The associated algebraic specification includes: 

• a sort ExpStruct representing expressions a (from 5F(Exp g ), with 9 r <S) ) 
and one operation for each production in the BNF grammar ©. Note that 
the construction A. (a, J < S, 0) has as coalgcbraic correspondent a function 
/ G ^(Expg), and is defined by cases as follows: X.(a,3 r <3,a)(a') = if 
(a = a') then a else Empty ^ ^ g ; 

• the extension of the type-checking relation to structured expressions, de- 
fined by: 

h&: B<5 he: Id O S 



h&GB(Ex P S) heGld(ExpS) 



h _L G Ji<3KT 2 (Expg) hTe J^J 2 (Exp9) 

haGJ 4 (Ex P g) . _ \-ai G ^(ExpS) ha 2 e^(ExpS) 
i G 1, 2 



h h(a) G SFi$£F2(Exp3) ' h (a u a 2 ) € SixS^Expg) 

h a G J(ExpS), a G A hffE ^(Expg) 

h A.(a,5F<3,<r) G J A (Ex P g) h {a} G ^(ExpS) 

and specified by an operation _ G _(Exp_) : ExpStruct Functor Functor 
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Bool (where we used a mix-fix notation) and an equation for each of 
the above inference rules. For example, the first rule has associated the 
equation b G B(ExpS) = b: B < S . For consistency of notation, we write 
a G ^(Expg) to denote that a is an element of ^(Expg). 

Remark 4. In terms of membership equational logic (MEL) f^J, both 9 r <S 
and 9 r (Exp9) can be thought of as being sorts and, for example, e: 3 r < S as a 
membership assertion. Even if MEL is an elegant theory, we prefer not to use it 
here because this implies the dynamic declaration of sorts and a set of assertions 
for such a sort. The above approach is generic and therefore more flexible. 



The equational entailment relation ^ndf for bisimilarity checking. 

As previously hinted in the beginning of this section, in order to algebraically 
reason on bisimilarity of 9-exprcssions in CIRC, one has to extend the deduction 
relation h to allow a restricted contextual reasoning on expressions in ^(Expg), 
for all ingredients 5" of a non-deterministic functor 9- We call the extended 
entailment 'tndf- 

The aforementioned restriction refers to inhibiting the use of congruence 
during equational reasoning, in order to guarantee the soundness of CIRC proofs. 
This is realized by means of a freezing operator, which intuitively behaves as a 
wrapper on the expressions checked for equivalence, by changing their sort to a 
fresh sort Frozen. This way, the hypotheses collected during a CIRC proof session 
cannot be used freely in contextual reasoning, hence preventing the derivation 
of untrue equations (as illustrated in Example [2J . 

We further show how the freezing mechanism is implemented in our algebraic 
setting, and define \~ndf ■ 

Let £ be an algebraic specification. We extend £ by adding the freezing 
operation p^| : s —> Frozen for each sort s G X, where Frozen is a fresh sort. By 
\t\ we represent the frozen form of a E-term t, and by [e] a frozen equation of 
the shape (VX) \t \ = {¥] if c. The entailment relation h is defined over frozen 



equations following the line in 17j ; more details are provided in Section [5] 

Recall from Section [5] that a relation 1Z C Exp g x Exp g is a bisimulation if 
and only if (s,t) G K => {5 3<3 (s),S 3<3 (t)) G 9(K). Here, S(K) C 9(Exp g ) x 
S(Expg) is the lifting of the relation 1Z C Exp s x Exp g , defined as 

3(11) = {(9(ni)(x),Sfa)(x)) | x G S(K)} . 

So, intuitively, reasoning on bisimilarity of two expressions (£,£') in 1Z re- 
duces to checking whether the application of S 3 maps them into 9(TZ). 

Therefore, checking whether a pair (s s ,t s ) is in 5(TZ) consists in checking, 
for example for the case of 9 = Si x S2, whether (sf,tf) G 5i(TZ) and {s\,t s 2 ) G 
92(^)1 where s s = (s^s^) and t 5 = {t{,t\). In an algebraic setting, this 
would reduce to building an algebraic specification £ and defining an entailment 



relation \~ndf such that one can infer £ \~ndf (si,^) = (ni^i) (this is the 
algebraic correspondent we consider for ({sf, Sj), (tf, t^}) G S(TZ)) by showing 
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NDF 



(or («*,**) S Si(^)) and £ h 



JVDF 



(or ( a *,t») e 



92 (H))- We hint that the aforementioned algebraic specification £ consists of 
£g and a set of frozen equations (see Corollary [T]) . 

The entailment relation \~ndf for reasoning on bisimilarity of S-cxprcssions 
is based on the definition of 9- 

Definition 6. The entailment relation ^ndf is the extension of h with the 
following inference rules, which allow a restricted contextual reasoning over the 
frozen equations of structured expressions: 



£d \~NDF 


0~L 






£3 ^ NDF 


0~2 




^2 


£3 ^NDF 






«^) 





So 



-NDF B = ED 



£g ^ ndf h(a) = h(a') 



£3 \~ndf |/(a)| = |.g(a)| , for all a e A 



So h 



4 



£5 ^ndf \f\ = \g] 

. . , S<j \~ NDF 



jk 



Sq \~ndf |{cti, ■ ■ ■ ,cr n }\ — \{a'i, ■ ■ ■ , <j' m } 



{ii, ...,i k } = {1, 
{ji, ■• ■ ,3k} = {1, 



,n} 
. ,m} 



(6) 
(7) 
(S) 
(9) 



Remark 5. Note that the extension of the entailment relation h to \~ndf irn- 
plies that £g h e iff £3 \~ndf e holds, for any equation e of shape |£i \ = [eg] 
or £1 = £2, wii/i £i,£2 non- structured expressions. Below, we will use the no- 
tation £g ^ndf TZ-, where 1Z is a set of possibly frozen equations, to denote 
VeG7?, • £3 \~ndf e. 

It is interesting to recall the relation lifting for the powerset functor which 
is encoded in the last rule of Definition [6] A pair (U, V) is in %i5(Jty if and 
only if for every u € U there exists a v & V such that (u,v) belongs to 5(H) 
and, conversely, for every v € V, there exists a»ef such that (u, v) belongs 
to 5(U). 

Remark 6. As already hinted (and proved in Corollary^), reasoning on bisim- 
ilarity of expressions in a binary relation 1Z C Expg x Expg reduces to showing 
that Sg(s) = 6cj(t) is a ^ndf -consequence, for all (s,t) G 1Z. The equational 
proof is performed in a "top-down" fashion, by reasoning on the subsequent 
equalities between the components of the corresponding structured expression 
Sg(s), Sg(t) in an inductive manner. This is realized by applying the inverted 
rules 

Moreover, note that rule (OJ) is not invertible in the usual sense; rather any 
statement matching the form of the conclusion can only be proved by some in- 
stance of the rule. 
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We will further formalize the connection between the inductive definition 
of S (on the coalgebraic side) and ^ndf (on the algebraic side) in Theorem [2l 
hence enabling the definition of bisimulations in algebraic terms, in Corollary[TJ 

Remark 7. Equations in £g (built as previously described in this section) are 
used in the equational reasoning only for reducing terms of shape op(ti, . . . , t n ) 
according to the definition of the operation op. For the simplicity of the proofs 
of Theorem^ and Corollary^ whenever we write op(<i, . . . , t n ), we refer to the 
associated term reduced according to the definition of op. 

First wc introduce some notation conventions. Let Q be a non-deterministic 
functor and 7Z C Exp g x Exp g . We write: 

• Hid to denote the set TZ U {(e, e) £ g he: S < S = true}; 

• cl(lZ) for the closure of TZ under transitivity, symmetry and reflexivity; 

• \]Z\ to represent the set Ue67j.il!]}; (application of the freezing operator to 
all elements of TZ) 

• 5g < g(e = e') to represent the equation <5g < g(e) = 8c, < g(e'); 

• £ 3 U \K\ as a shorthand for (S, E, E U {0 = [7] | (e,e') £ ft}), where 
£ s = (5, £,£); 

• (<t, <t') G 5(TZ) as a shorthand for: (u, cr') is among the enumerated ele- 
ments of a set S explicitly constructed as an enumeration of the finite set 
5(H) (in the algebraic setting, 3(72.) is a subset of 7s.Ex P StructX 7s,Ex P Struct 
and £ s h 3(ft) = 5). 

Theorem 2. Consider a non- deterministic functor S. Let J be an ingredient 
of 5, TZ a binary relation on the set of S -expressions, and a, a' G ^(Expg). 

a) If S is wot a constant functor, then [a, a') G ^(cliTZid)) iff u[7?] ^ndf 
frj -f/ S *s a constant functor B, i/ien (cr, o"') G B(cZ(7?.jd)) iff £3 \~ndf = 

In order to prove Theorem [5]a) we introduce the following lemma: 

Lemma 1. Consider S a non- deterministic functor and 1Z a binary relation on 
the set of S -expressions. If (e, e') G cliJZid) then £g U \]Z\ \~ndf \§\ = ED- 

Proof. The proof is trivial, as equality is reflexive, symmetric and transitive. 

□ 

We are now ready to prove Theorem [5J 
Proof (Theorem [2]). 

• Proof of Theorem [2]a). 



17 



• " => " . The proof is by induction on the structure of SF. 
Base case: 

* £F = B. It follows that (cr, a 1 ) is of shape (b,b) where b € B, 
therefore £g u[7£] h^oF \b\ — \b\ holds by reflexivity. 

* J = Id. In this case (cr, cr') € cl(lZid) — \d(cl(lZid)), so the result 
follows immediately by Lemma [T] 

Induction step: 

1 = x 3^2- Obviously, a = (cri,cr 2 ) and cr' = (ol,cr 2 ), where 
(triX) S 3T(cZ(ft i(i )) and (cr 2 ,cr 2 ) e 3^{cl{1lid)). Therefore, 



* 



by the induction hypothesis, both Ec U [TCj \~ ndf o~i = cr^ and 



£9 U[7?J ^ndf CT2 = cr 2 hold. Hence, according to the definition 



of ^ndf (see we conclude that Ec, U [7|] h^DF (cri,cr 2 



(cr^ , cr 2 ) holds 



* The cases ? = 5F X $ SF 2) J = 3^ and J = O^lF are handled in a 
similar way. 

" <= ". We proceed also by induction on the structure of 3 r . More- 
over, recall that the observations in Remark [7] hold (for each of the 
subsequent cases). 
Base case: 

* "5 — B. In this case (cr, cr') is of shape (6, b'), where 6, b' are two 
elements of the semilattice B. Also, recall that S 7^ B, therefore, 
the equations (of type S < S 7^ ^(Expg)) in 1Z are not involved in 
the equational reasoning. We deduce that \b] = \V\ is proved by 
reflexivity, hence (b,b') = (6,6) G B(cl(TZid))- 

* £F = Id. Note that for this case, a, a' are expressions of the 
same type with the expressions in 1Z. We further identify two 
possibilities: 

• = [</] is proved by reflexivity, therefore {u^a') £ {(e, e) 
e:5 < 9} C Uid C c/(7e td ) = Id(cZ(7e w )). 

• the equations in [7|] are used in the equational reasoning 
£9 u[7?] hjV£TF = ED- I 11 addition, the freezing operator 
inhibits contextual reasoning, therefore \a] = is proved 
according to the equations in \TZj based 011 the symmetry 
and transitivity of \~ndf- In other words, (cr, a') € cl{TZid) = 
\d{cl(R ld )). 

Induction step: 

* 1 = 1\ x J 2 . Obviously, due to their type, the equations in 
TZ are not involved in the equational reasoning. Also, recall 



that (*) holds. Therefore, £ s U \K\ h NDF | (tri, cr 2 ) | = |K,g 2 ) 
is a consequence of the in vert ed rule (|6]). More explicitly, it f ol 
lows that Eg U \]Z\ \~ndf o~i = v\ and Eg U \]Z\ ^ndf 02 
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a 2 must hold. By the induction hypothesis, we deduce that 



(ai , a[) e giCcjffl id )) and (a 3 , a' 2 ) € 5 2 ( c/(ft id )) . So by the def- 
inition of SFi x 5F 2 we conclude that {{<J\, (T2), (o~i, o-' 2 )) = ( cr j (7 ') e 
3i x J 2 (ft). 

* The cases J = Ji <J> ? 2 , 3" = {3i) A and J = O^J' follow a similar 
reasoning. 

• Proof of Theorem \2\b). It follows immediately by the definition of B and 
Remark [7] 



□ 

Corollary 1. Let S be a non- deterministic functor and TZ a binary relation on 
the set of ^-expressions. 

a ) V S is not a constant functor, then cl(lZid) is a bisimulation iff £g U 

F^l ^NDF 



< 9 



(K) 



b) If S is a constant functor B, then cl(lZid) is a bisimulation iff £3 \~ 



NDF 



Proof. 

• Proof of Corollary [T] a). We reason as follows: 
cl(JZid) is a bisimulation 
& (V(£,£') e d(ft id )).((S g<s ( e ),<5 g<g ( e ')) e~S(cl(1l id )) (Def.rrj 

(Thm. [2]) 



<s> s 9 u\n\h NDF 6 3<3 (ci(n id )) 



& £ 5 U\K}h NDF 5 g < g(^) 



{cl(TZ id ),\- NDF ) 



• Proof of Corollary [TJ6). It follows immediately by the definition of bisim- 
ulation relations and according to the observations in Remark [7J 



□ 

In Figure [2] we briefly summarize the results of the current section, namely, 
the algebraic encoding of the coalgebraic setting presented in [23| . 

5. A Decision Procedure for Bisimilarity in CIRC 



In this section, we describe how the coinductive theorem prover CIRC [1J] can 
be used to implement the decision procedure for the bisimilarity of generalized 
regular expressions, which we discussed above. 
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coalgebraic 


algebraic 


he: 


£g h e : J <i S = frwe 




{e G 7s iE x P | £g b e: J « g = ^rwe} 


Exp g 


{e G Ts^Expl £g b e: g < 9 = true} 


J(Exp g ) 


{<j 6 7s,Ex P Struct| £ g b cr G J(Exp 9) = irwe} 


S?<S ■ Expgr.jg ->■ ^(Expg) 


<L(_): Ingredient Exp — !> ExpStruct 


(a,a') £?(cl(K id )) 


£g b cr G ^(Expg) = trwe, 
£g b cr' G ^(Expg) = true 

£ g U^b WDF = if S^B 
or 

£ S ^ndf = if 9 = B (Thru.© 


cl(lZid) is a bisimulation 


£ 9 U\M\-ndf S 3<9 (TZ) if 9^B 
or 

^g b W DF ^g<g(^) if 9 = B (Cor.© 



Figure 2: non-deterministic functors - coalgebraic vs. algebraic approach 



CIRC can be seen as an extension of Maude with behavioral features and 
its implementation is derived from that of Full-Maude. In order to use the 
prover, one needs to provide a specification (a CIRC theory) and a set of goals. 
A CIRC theory B — (S, (£, A), (E,T)) consists of an algebraic specification 
(S, T*,E), a set A of derivatives, and a set I of equational interpolants, which 
are expressions of the form e {e^ | i G /} where e and ej are equations. The 
intuition for this type of expressions is simple: e holds whenever for any i in I the 
equation ej holds. In other words, to prove E \- e one can chose to instead prove 
E b {e; | i G I}. For the particular case of non-deterministic functors, we use 
equational interpolants to extend the initial entailment relation in a consistent 
way with rules (For more information on equational interpolants see 

Q). A derivative S G A is a S-term containing a special variable *:s (i.e., a 
S-context), where s is the sort of the variable *. If e is an equation t = t' with 
t and if of sort s, then 6[e] is 8[t/*:s) = 6[t' /*:s]. We call this type of equation 
a derivable equation. The other equations are non-derivable. We write 5[1Z] to 
represent {S[e\ | e G 1Z}, where TZ is a set of derivable equations, and A[e] for 
the set {S[e\ \ 6 G A appropriate for e}. 

Moreover, note that CIRC works with an extension of the entailment relation 
b over frozen equations (introduced in Section |4|), with two more axioms, as 
in [T3]: 

fiUKhi iff Eh e (10) 
EUKhG implies E U 5[K] b 5[Q] for each 8 £ A (11) 
Above, E ranges over unfrozen equations, e over non-derivable unfrozen 
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equations, and 1Z, Q over derivable frozen equations. 



Remark 8. Note that the new entailment \~ndf extended over frozen equations 
(in Definitional satisfies the assumptions U0\) and fill)) . 



CIRC implements the coinductivc proof system given in [17[ using a set of 
reduction rules of the form (B,J-,Q) =>■ (B, J-' ,G'), where B represents a speci- 
fication, T is the coinductive hypothesis (a set of frozen equations) and Q is the 
current set of goals. The freezing operator is defined as described in Section |4j 
Here is a brief description of these rules: 

[Done]: (B..F, {})=►• 

Whenever the set of goals is empty, the system terminates with success. 
[Reduce]: (B, J 7 , Q U {[e]}) => (B, T, Q) ifB UJh[e] 

If the current goal is a h-consequence of B U T then \e\ is removed from 
the set of goals. 



[Derive]: (B, F,Ql) {[e]}) => (B, T U {g]}, g U | A[e] |) i/6UJ^ 

When the current goal e is derivable and it is not a h-conscqucncc, it is 

added to the hypothesis and its derivatives to the set of goals. 



ife^{ei\i£l 



[Simplify]: (B, J", Q U { 0(e) }) (B, LT, Q U { 0( ei ) | i G /}) 



is an cquational intcrpolant from the 



specification and 9: X — > 7s (Y) is a substitution. 

[Fail]: (B 7 J 7 , Q U {[e]}) => failure ifB U F\f\e\ A e is non-derivable 

This rule stops the reduction process with failure whenever the current 

goal e is non-derivable and is not a h-consequence of B U J- . 

It is worth noting that there is a strong connection between a CIRC proof 
and the construction of a bisimulation relation. We illustrate this fact and the 
importance of the freezing operator with a simple example. 

Example 2. Consider the case of infinite streams. The set B w of infinite 
streams over a set B is the final coalgebra of the functor S = B x Id, with a 
coalgebra structure given by hd and tl, the functions that return the head and 
the tail of the stream, respectively. Our purpose is to prove that 0°° = (00)°°. 
Let z and zz represent the stream on the left hand side and, respectively, on the 
right hand side. These streams are defined by the equations: hd(z) = 0, tl(z) = 
z, hd(zz) = 0, tl(zz) = 0:zz. Note that equations over B like hd(z) = are not 
derivable and equations over streams like tl(z) = z are derivable. 

In Fig. [3] we present the correlation between the CIRC proof and the con- 
struction of the bisimulation relation. Note how CIRC collects the elements of 
the bisimulation as frozen hypotheses. 

Let us analyze what would happen if the freezing operator were not used. 
Suppose the circular coinduction algorithm would add the equation z = zz in 
its unfrozen form to the hypotheses. After applying the derivatives we obtain 
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CIRC proof 


Bisimulation construction 


(add goal z 


= zz . ) 







(#,{}, {0 


= HH}) 








( 






hd(zz) 


1! 






T = {(z, zz)}; V v 




tl(z) 


tl(zz) 


[R ^T ] (B, m = im. flzl = \0:zz\[) 


T= {{z,zz)Y z - {zz) 1 ? 


[Derive] ( ( [z]=[zl] 1 




hd(z) 




hd(0:zz 


] 







T = {(z, zz), (z, (zz)')}; {z *^T zz 


I °'\m=|0:z2|/ ' ] 




tl(z) 


tl(0:zz) 






F={(z,zz),(z,(zz)')} / 



Figure 3: Parallel between a CIRC proof and the bisimulation construction 



the goals hd(z) = hd(zz), tl(z) = tl(zz). At this point, the prover could use the 
freshly added equation z = zz, and according to the congruence rule, both goals 
would be proven directly, though we would still be in the process of showing that 
the hypothesis holds. By following a similar reasoning, we could also prove that 
goo = 1°°/ In order to avoid these situations, the hypotheses are frozen, (i.e., 
their sort is changed from Stream to Frozen ) and this stops the application of 
the congruence rule, forcing the application of the derivatives according to their 
definition in the specification. Therefore, the use of the freezing operator is vital 
for the soundness of circular coinduction. 

Next, we focus on using CIRC for automatically reasoning on the equivalence 
of S-exprcssions. As we will show, the implementation of both the algebraic 
specifications associated to non-deterministic functors and the equational en- 
tailment relation described in Scction|4]is immediate. Given a non-deterministic 
functor S, we define a CIRC theory Bg = (S, (E, A), (E,I)) as follows: 

• (5, S, E) is S 3 

• A = {<5g <, g(*:Exp)}, so the only derivable equations are those of sort Exp. 
As we have already seen for the example of streams, equations of sort Sit 
must not be derivable. Since we have the subsort relation Sit < Exp, we 
avoid the application of the derivative < g(*:Exp) over equations of sort 
Sit by means of an interpolant (see below). 

• X consists of the following equational intcrpolants , whose role is to replace 
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current proof obligations over non-trivial structures with simpler ones: 

(01,0-2) = {(t[,(t' 2 ) => {(J 1 =cr' 1 , ct 2 = (t' 2 } (12) 
ki(a) = ki(a') => {a = a'} (13) 
/ = 9 {/(a) = .9(a) I a 6 A} (14) 

Aj'eTTm (VieT^ '* = <^)} ( 15 ) 
together with an equational interpolant 

t = t' => {t~t' = true} (16) 

where ~ is the equality predicate equationally defined over the sort Sit. 
The last interpolant transforms the equations of sort Sit from derivable 
(because of the subsort relation Sit < Exp) into non-derivable and equiv- 
alent ones. 



The intcrpolants (|12H16[) in I extend the entailment relation \~ndf (intro- 
duced in Definition [6J as follows: 

E \~ ndf {ei\iE 1} ., , , . r , . 

— — ^ — ! - if e =>■ {ei 1 1 e 1} m 1 

& 'ndf e 

Theorem 3 (Soundness). Let 3 be a non-deterministic functor, and Q a bi- 
nary relation on the set of ^-expressions. 

If (Bg, Jo = {},Go = \U\) {B%,TmQn = {}) using [Reduce], [Derive] and 
[Simplify], then Q C~g. 

Proof. The idea of the proof is to find a bisimulation relation T s.t. Q C T . 
First let T represent the set of hypotheses (or derived goals) collected during 
the proof session. We distinguish between two cases: 

a) 9 = B. For this case, the set of expressions in Q is given by the following 
grammar: 

e:: = | b | e©£ | fix.E. (17) 

Note that the goals e — e' in Q are proven 

1. cither according to [Simplify], applied in the context of the equational 
interpolant (fl~6|) . If this is the case, then e = e 1 holds by reflexivity, 
therefore 



Bs \~ndf \Sb<b{£)\ = \Sb<b(£')\ (18) 

also holds; 
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2. or after the application of [Derive], case in which Be, U [F] h 



NDF 



<5b<jb(&) = <5b<b(e') holds. Moreover, note that <5b«b(e) an d <5b<]b(£') 



are reduced to b, respectively b' £ B, according to (|T7|) and the def- 
inition of (5b<jb - Consequently, the non-derivable (due to the subsort 
relation B < Sit) goal \b\ = [17] holds by reflexivity, so the following 
is a sound statement: 



Bg \~ndf <5b<jb(£) — <5b<ib(£ / ) 



(19) 



Based on (JTSj) , (fT9]l and Corollary [TJb), we conclude that T = cl(Qid) is a 
bisimulation, hence Q C cl(Qid) C ~*g. 

b) S 7^ B. Based on the reduction rules implemented in CIRC, it is quite easy 
to see that the initial set of goals Q is a hjvD^-consequence of Bg u[j]. In 
other words, Q C cl(Fid). So, if we anticipate a bit, we should show that 
T = cl(J-j d) is a bisimulation, i.e., according to Corollary [IJ $gU[]F] ^ndf 



>S < 



This is achieved by proving that Bg u|jj \~ndf Gi(i £ 0, n) 
(note that 5g < g(J 7 ) C |J ig g^ Gi, according to [Derive]). The proof is by 
induction on j, where n — j is the current proof step, and by case analysis 
on the CIRC reduction rules applied at each step. 

We further provide a sketch of the proof. 

The base case j = n follows immediately, as Bg u[]F] ^ndf Qn = 9- 
For the induction step we proceed as follows. Let [e] £ Gj- If \e\ € Gj+i 
then Be, U \T\ ^ndf tU by the induction hypothesis. If \e\ Gj+i then, 
for example, if [Reduce] was applied then it holds that Bg U T$ ^ndf Hi- 



Recall that C \T\, 



so B 9 U \Zl 



NDF 



\e\ also holds. The result follows 



in a similar fashion for the application of [Derive] or [Simplify]. 



□ 

Remark 9. The soundness of the proof system we describe in this paper does 
not follow directly from Theorem 3 in \1 1 1. This is due to the fact that we do 
not have an experiment-based definition of bisimilarity. So, even though the 



mechanism we use for proving Bg U [JJ h ndf Sg <i g (J 7 ) (for the case S 7^ Bj is 
similar to the one described in 112], the current soundness proof is conceived in 
terms of bisimulations (and not experiments). 

Remark 10. The entailment relation \~ndf that CIRC uses for checking the 
equivalence of generalized regular expressions is an instantiation of the paramet- 
ric entailment relation h from the proof system in fP)lJ . This approach allows 
CIRC to reason automatically on a large class of systems which can be modeled 
as non- deterministic coalgebras. 

As already stated, our final goal is to use CIRC as a decision procedure for the 
bisimilarity of generalized regular expressions. That is, whenever provided a set 



24 



of expressions, the prover stops with a yes/no answer w.r.t. their equivalence. 
In this context, an important aspect is that the sub-coalgebra generated by an 
expression e G Expg by repeatedly applying 8c, is, in general, infinite. Take for 
example the non-deterministic functor § = B x Id associated to infinite streams, 
and consider the property //x.0 © r(x) = fj,x.r(x). In order to prove this, CIRC 
builds an infinite proof sequence by repeatedly applying 5g as follows: 

5s((AX.®®r{x)) = 5s(/j,x.r{x)) 
I 

(0,0© (nx4®r(x))) = (0,fix.r(x)) 

£§(0© (/ixjffir^))) = S§(fj,x.r(x}) 
I 

(O,0©0© ((*x$®r(x))) = (0,/j,x.r(x)} [...] 

In this case, the prover would never stop. We observed in Section [3] that The- 
orem Q] guarantees we can associate a finite coalgebra to a certain expression. 
In the proof of the aforementioned theorem, which is presented in |23[, it is 
shown that the axioms for associativity, commutativity and idempotence (ACI) 
of © guarantee finiteness of the generated sub-coalgebra (note that these axioms 
have also been proven sound w.r.t. bisimulation). ACI properties can easily be 
specified in CIRC as the prover is an extension of Maude, which has a powerful 
matching modulo ACUI (ACI plus unity) capability. The idempotence is given 
by the equation effie = e, and the commutativity and associativity are specified 
as attributes of ©. It is interesting to remark that for the powerset functor 
termination is guaranteed without the axioms, because the coalgebra structure 
on the expressions for the powerset functor already includes ACI (since O^(Exp) 
is itself a join-semilattice). 

Theorem 4. Let Q be a set of proof obligations over generalized regular expres- 
sions. CIRC can be used as a decision procedure for the equivalences in Q , that 
is, it can decide whenever a goal (£1,^2) £ G is a true or false equality. 

Proof. Note that as proven in [23j |. the ACI axioms for © guarantee that 5c, 
is applied for a finite number of times in the generation of the sub-coalgebra 
associated to a S-cxprcssion. Therefore, it straightforwardly follows that by 
implementing the ACI axioms in CIRC (as attributes of ffi), the set of new 
goals obtained by applying Sc, is finite. In these circumstances, whenever CIRC 
stops according to the reduction rule [Done], the initial proof obligations are 
bisimilar. On the other hand, whenever it terminates with [Fail], the goals are 
not bisimilar. □ 



6. A CIRC-based Tool 

We have implemented a tool that, when provided with a functor S, auto- 
matically generates a specification for CIRC which can then be used in order to 
automatically check whether two S-expressions are bisimilar. The tool is imple- 
mented as a metalanguage application in Maude. It can be downloaded from 
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the address http://goriac.info/tools/functorizer/ In order to start the 



tool, one needs to launch Maude along with the extension Full-Maude and load 
the downloaded file using the command in functorizer .maude . 

The general use case consists in providing the join-scmilattices, the alphabets 
and the expressions. After these steps, the tool automatically checks if the 
provided expressions are guarded, closed and correctly typed. If this check 
succeeds, then it outputs a specification that can be further processed by CIRC. 
In the end, the prover outputs either the bisimulation, if the expressions are 
equivalent, or a negative answer, otherwise. 

We present two case studies in order to emphasize the high degree of gener- 
ality for the types of systems we can handle, and show how the tool is used. 

Example 3. We consider the case of Mealy machines, which are coalgebras for 
the functor (B x \d) A . 

Formally, a Mealy machine is a pair (S, a) consisting of a set S of states 
and a transition function a : S — > (B x S) A , which for each state s G S and 
input a € A associates an output value b and a next state s' . Typically, we write 

a(s)(a) = (b,s')^(sy^(i). 

In this example and in what follows we will consider for the output the two- 
value join-semilatice B = {0, 1} (with ±b = 0) and for the input alphabet A = 
{a, b}. The expressions for Mealy machines are given by the grammar: 



E 
E 2 



x\E(SE\ fix.E 2 | a(r(E)) | b(r(E)) | a(/(£i» | &(^i)) 
E 1 @E 1 \0\1 

E 2 (BE 2 | iix.E 2 | a(r(E)) \ b(r(E)) | a(Z(£a)) | 6(Z(£a) 



Intuitively, an expression of shape a(l(Ei)) specifies a state that for an input 
a has an output value specified by E\. For example, the expression a(7(l)) 
specifies a state that for input a outputs 1, whereas in the case o/a(Z(0)) the 
output is 0. An expression of shape a(r(E)) specifies a state that for a certain 
input a has a transition to a new state represented by E. For example, the 
expression ^ix.a(r(x}) states that for input a, the machine will perform a "a- 
loop" transition, whereas a(r(0)) states that for input a there is a transition to 
the state denoted by 0. It is interesting to note that a state will only be fully 
specified in what concerns transitions and output (for a given input a if both 
a(l(Ei)) and a(r{E)) appear in the expression (combined by (S). In the case 
only transition (resp. output) are specified, the under specification is solved by 
setting the target state (resp. output) to (resp. J-b = 0). 

Next, to provide the reader with intuition, we will explain how one can rea- 
son on the bisimilarity of two simple expressions, by constructing bisimulation 
relations. Later on, we show how CIRC can be used in conjunction with our 
tool in order to act as a decision procedure when checking equivalence of two 
expressions, in a fully automated manner. 

We will start with the expressions e± = [ix.a(r{x)) and e 2 = 0We have to 
build a bisimulation relation TZ on S-expressions, such that (£1,62) £ TZ. Wc 
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do this in the following way: we start by taking TZ = {(£i,£ 2 )} and we check 
whether this is already a bisimulation, by considering the output values and 
transitions and check whether no new expressions appear in this process. If 
new pairs of expressions appear we add them to TZ and repeat the process. 
Intuitively, this can be represented as follows: 




n 



s 2 




£2 



TZ={{e 1 ,e 2 )} 
K = {(£i,£2), (£2, £2)} 



not yet in TZ; add it 



o|0,6|0 



£ 2 ^) o|0,6|0 



R 



Figure 4: Bisimulation construction 



TZ 

In the figure above, and as before, we use the notation ei £2 to denote 

(£i,£2) 6 TZ. As illustrated in Figure IH TZ = {(£1,62), (£2, £2)} is closed under 
transitions and is therefore a bisimulation. Hence, £1 ~g £2. 

The proved equality = fix.a{r{x)) might seem unexpected, if the reader is 
familiar with labelled transition systems. The equality is sound because these 
arc expressions specifying behavior of a Mealy machine and, semantically, both 
denote the function that for every non-emtpy word outputs (the semantics of 
Mealy machines is given by functions B A+ , intuitively one can think of these ex- 
pressions as both denoting the empty language) . This is visible if one draws the 
automata corresponding to both expressions (say, for simplicity, the alphabet is 
A = {a}): 

HX.a{r{x)) 



a\0 



b|0 



Note that (i) the expression for Mealy machines is mapped with 5 to a function 
that for input a gives (0, 0), which represents a state with an a-loop to itself and 
output 0; (ii) the second expression specifies explicitly an a-loop to itself and 
it also has output 0, since no output value is explicitly defined. Now, also note 
that similar expressions for labelled transition systems (LTS), or coalgebras of 
the functor %i{—) A , would not be bisimilar since one would have an a-transition 
and the other one not. This is because the expression for LTS really denotes 
a deadlock state. In operational terms they would be converted to the systems 







jjLX.a{x) 



which now have an obvious difference in behavior. 
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By performing a similar reasoning as in the example above one can show that 
the expressions E\ = /ix.a(r(x))ffi&(r(x)) and e 2 = /zx.a(r(x}) are bisimilar, and 
the bisimulation relation is built as illustrated in Figure [5] 



£1 



■R 



■ £2 




a\0 



a|0 



b\0 



£l 



■R 



aj0,6|0 



a\0,b\0 C^£l 



not yet in TZ; add it 



n={(e 1 ,£ 2 )} 
7e={(ei,e 2 ),(ei,0)} 

a|0,fe|0 
^ a|0,fc|0 / 



■R 



Figure 5: Bisimulation construction 



Let us further consider the Mealy machine depicted in Figure [HJ where all 
states are bisimilar. 




Figure 6: Mealy machine: s± ~ S2 



We show how to check the equivalence of two expression characterizing the 
states si and S2, in a fully automated manner, using CIRC. These expressions 
are e x = nx.b{l{l)) © b(r(e 2 )) © a{py.a{r{y)) © b(r(e 2 )) © b(l(l))) and e 2 = 
fix.b{l{l)) © b{r(x)) © a(r{x)), respectively. 

In order to check bisimilarity of E\ and e 2 we load the tool and define the 
scmilatticc B = {0, 1} and the alphabet A = {a, b}: 

(jslt B is 1 bottom 0. 0v0=0. v 1 = 1 . 1 v 1 = 1 . endjslt) 
(alph A is a b endalph) 

We provide the functor S using the command (functor (B x Id)~A .). The 
command (set goal ... .) specifies the goal we want to prove: 



(set goal 

\mu X:FixpVar . b(Kl>) (+) a(l<0>) (+) b(r<X:FixpVar>) (+) 
a(r<X:FixpVar>) = 

\mu X:FixpVar . b(Kl>) (+) b(<\mu X:FixpVar . b(Kl>) (+) 
b(r<X:FixpVar>) (+) a(r<X : FixpVar>) >) (+) 
a(\mu Y:FixpVar . a(r<Y:FixpVar>) (+) 
b(<\mu X:FixpVar . b(Kl>) (+) a(l<0>) (+) 
b(r<X:FixpVar>) (+) a(r<X:FixpVar>)>) (+) b(Kl>)) .) 

In order to generate the CIRC specification we use the command (generate 
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coalgebra .). Next we need to load CIRC along with the resulting specification 
and start the proof engine using the command (coinduction .). 

As already shown, behind the scenes, CIRC builds a bisimulation relation 
that includes the initial goal. The proof succeeds and the output consists of (a 
subset of) this bisimulation: 

Proof succeeded. 

Number of derived goals : 2 

Number of proving steps performed: 50 

Maximum number of proving steps is set to: 256 

Proved properties: 

- phi (+) (\mu X . a(l<0>) (+) a(r<X>) (+) b(Kl>) (+) b(r<X>)) = 
phi (+) (\mu Y . a(r<Y>) (+) b(Kl>) (+) 

b(r<\mu X . a(l<0>) (+) a(r<X>) (+) b(Kl>) (+)b(r<X>)>)) 

- \mu X . a(l<0>) (+) a(r<X>) (+) b(Kl>) (+) b(r<X>) = 
\mu Z . a(r<\mu Y . a(r<Y>) (+) b(Kl>) (+) 

b(r<\mu X . a(l<0>) (+) a(r<X>) (+) b(Kl>) (+) b(r<X>)>)>) (+) 
b(Kl>) (+) b(r<\mu X . a(l<0>) (+) a(r<X>) (+) 
b(Kl>) (+) b(r<X>)>) 

For the ease of understanding, here we printed a readable version of the 
proved properties. In Section 16. 1[ however, we show that internally each ex- 
pression is brought to a canonical form by renaming the variables. Moreover, 
note that in our tool, is represented by the constant phi. All the examples 
provided in the current section make use of this convention. 

As previously mentioned, CIRC is also able to detect when two expressions 
are not equivalent. Take, for instance, the expressions nx.a(l(0)) (B a(r{a(l{l)) © 
a{r(x)))) and a(l(0)) © a(r(a(r{fix.a(r(x}) © a(/(0)))) © a(/(l)))), characterizing 
the states S\ and S3 from the Mealy machines in Fig. [JJ After following some 
steps similar to the ones previously enumerated, the proof fails and the output 
message is Visible goal [. . .] failed during coinduction. 




Figure 7: Mealy machines: si 76 S3 



Example 4. Let us show how one may check strong bisimilarity of two nonde- 
terministic processes of a non-trivial CCS-like language with termination, dead- 
lock, and divergence, as studied in Q/. A process is a guarded, closed term 
defined by the following grammar: 

P ::= / I 5 I Q \ a.P | P + P \ x \ \ix.P (20) 

where: 
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• ■/ is the constant for successful termination, 

• 5 denotes deadlock, 

• is the divergent computation (i.e., the undefined process), 

• a.P is the process executing the action a and then continuing as the process 
P, for any action a from a given set A, 

• Pi + P 2 is the non- deterministic process behaving as either P\ or P2, and 

• fix. P is the recursive process P[[ix.P/x]. 

In is is shown that, up to strong bisimilarity, the above syntax of pro- 
cesses is equivalent to the canonical set of (guarded, closed) regular expressions 
derived for the functor 1 <$■ ^(Id)" 4 , 

E ::= $\E®E\x\ l ix.E\l[E 1 ]\r[E 2 ] 

E x ::= j Si © £1 I 1 

E 2 ::= %\E 2 ®E 2 \a{E z ) 

E 3 ::= (ft \ E 3 $> E 3 \ {E} 

The translation map {—)' from processes to expressions is defined by induc- 
tion on the structure of the process: 

(/)t = (a.P)t = r[a({Pt})] 

(d)^ = r[0] (Pi+P 2 y = (Pi) t ©(P 2 ) t 

(n)t = {iix.py = 11x.pi 

X^ = X . 

Consider now two processes P and Q over the alphabet A = {a, b}: 

P = nx.(a.x + a.Pi + b.b.S + b.(S + 0)) 
Q = (iz.(a.z + b.(5 + b.S)+b.5) 

where P± — fiy.(a.(y + S) + b.S + b.(5 + b.J) + 5). Graphically, the two processes 
can be represented by the following labelled transition systems (for simplicity we 
omit annotating states with information regarding the satisfiability of successful 
termination, divergence, and deadlock): 




Figure 8: Nondetcrministic processes: Q ~ P 
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We want to check if the process P is strongly bisimilar to the process Q. By 
using the above translation, process P is represented by the expression 

fix.(r[a{{^y.(r[a({y © r[0]})] © r[6({r[0]})]ffi 

r[6({r[0]©r[6({l[l]})]})]®r[0])})]e 
r[a({x})} ®r[b({r[b({l[l}})]})} ffir[6({r[0] ©0})]) 



whereas process Q is represented by the expression 

»z.(r[a({z})] © r[6({r[0] © r[b({l[l}})}})] © r[6({r[0]})]). 

In order to use the tool, one needs to specify the semilattice, the alphabet, 
the functor, and the goal in a manner similar to the one previously presented: 
(jslt B is 1 bottom 1 . 1 v 1 = 1 . endjslt) 
(alph A is a b endalph) 
(functor B + (P Id)~A .) 

(set goal \mu X:FixpVar . 

r[ a( { X:FixpVar } ) ] (+) 
r[ a( { \mu Y:FixpVar . 

r[ a( { Y:FixpVar (+) r[ phi ] } ) ] (+) 

r[ b( { r[ phi ] } ) ] (+) 

r[ b( { r[ phi ] (+) r[ b( { 1[ 1 ]})]}) ] (+) 
r[ phi ] 

} ) 
] (+) 

r[ b( { r[ b( { 1[ 1 ]})]}) ] (+) 
r[ b( { r[ phi ] (+) phi } ) ] 

\mu Z : FixpVar . 

r[ a( { Z: FixpVar } ) ] (+) 

r[ b( { r[ phi ](+) r[ b( { 1[ 1 ]})]}) ] (+) 
r[ b( { r[ phi ] } ) ] .) 

For the generated specification CIRC terminates and outputs a positive result: 

Proof succeeded. 

Number of derived goals : 15 

Number of proving steps performed: 58 

Maximum number of proving steps is set to : 256 

Proved properties: 

- r[phi] (+) (\mu Y. r[phi] (+) r[a({r[phi] (+) Y})] (+) r [b({r [phi] })] 
(+) r[b({r[phi] (+) r[b({l[l]})]})]) 

\mu Z. r[a({Z})] (+) r [b({r [phi] })] (+) r[b({r[phi] (+) r [b({l [1] })] })] 

- r[b({l[l]})] = r[phi] (+) r[b({l[l]})] 

- \mu Y. r[phi] (+) r[a({r[phi] (+) Y})] (+) r [b({r [phi] })] (+) 
r[b({r[phi] (+) r[b({l[l]})]})] 

\mu Z. r[a({Z})] (+) r [b({r [phi] })] (+) r[b({r[phi] (+) r [b({l [1] })] })] 

- \mu X. r[a({X}>] (+) r[a({\mu Y. r[phi] (+) r[a({r[phi] (+) Y})] (+) 
r[b({r[phi]})] (+) r[b({r[phi] (+) r [b({l [1] })]})] })] (+) 
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r[b({r[phi] + phi})] (+) r[b({r[b({l[l] })]})] 

\mu Z. r[a({Z})] (+) r [b({r [phi] })] (+) r[b({r[phi] (+) r [b({l [1] })] })] 

6. 1 . Implementation 

In this section we present details on the implementation of the algebraic 
specification given in Section [4j based on the examples from Section [6l 

In order to generate the algebraic specifications for CIRC when provided a 
functor and two expressions we used the Maude system We choose it for 
its suitability for performing equational and rewriting logic based computations, 
and because of its reflective properties allowing for the development of advanced 
metalanguage applications. As the technical aspects on how to work at the 
meta-level are beyond the scope of this paper, we refrain from presenting them 
and show, instead, what the generated specifications consist of. 

Most of the algebraic specifications from Section @] have a straightforward 
implementation in Maude. Consider, for instance, the case of Mealy machines 
presented in Example [3] The generated grammars for functors ([T} and expres- 
sions (Definition [3J are coded as: 

sort Functor . sorts Exp ExpStruct Alph Sit . 

sorts AlphName SltName . subsort Exp < ExpStruct . 

subsort SltName < Functor . enum A is a b . enum B is 1 . 

subsort A < Alph . 
op A : -> AlphName . subsort B < Sit . 

op B : -> SltName . 

op G : -> Functor . op _'(+')_ : Exp Exp -> Exp . 

op Id : -> Functor . op _'(_') : Alph Exp -> Exp . 

op _+_ : Functor Functor -> Functor . op \mu_._ : FixpVar Exp -> Exp . 
op _~_ : Functor AlphName -> Functor . ops 1<_> r<_> : Exp -> Exp . 
op _x_ : Functor Functor -> Functor . op phi : -> Exp . 

eq G = (B x Id) A . 

Most of the syntactical constructs are Maude-specific: sorts and subsort 
declare the sorts we work with and, respectively, the relations between them; 
op declares operators; eq declares equations (the equation in our case defines 
the shape of the functor G). The only CIRC-specific construct, enum, is syntactic 
sugar for declaring enumerable sorts, i.e., sorts that consist only of the specified 
constants. As a side note, if brackets ((, [, {) are used in the declaration of an 
operation, then they must be preceded by a backquote ( ' ) . 

As mentioned in Section^ in order to guarantee the finitcness of our proce- 
dure, one needs to include the ACI axioms for (+) . Moreover, we have observed 
that the unity axiom for (+) plays an important role in decreasing the number 
of states generated by the repeated application of (5g, therefore improving the 
overall time performance of the tool. For example, the number of rewritings 
CIRC performed in order to prove the bisimilarity of £\ and £2 in Figure [5] was 
halved when the unity axiom was used. 

By turning on the axiomatization flag using the command (axioms on . ) , 
the following code is generated: 
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op _'(+')_ : Exp Exp -> Exp [assoc comm] . 
eq E:Exp (+) E:Exp = E:Exp . 
eq E:Exp (+) phi = E:Exp . 

It is an obvious question why not to add other axioms to the tool, since the 
unity axiom has improved performance. At this stage we do not have studied in 
detail how much adding other axioms would help. It is in any case a trade-off on 
how many extra axioms one should include, which will get the automaton pro- 
duced from an expression closer to the minimal automaton, and how much time 
the tool will take to reduce the expressions in each step modulo the axioms. For 
classical regular expressions, there is an interesting empirical study on this [lij . 
We leave it as future work to carry on a similar study for our expressions and 
axioms. 

The process of substituting fixed-point variables has a natural implementa- 
tion. We present the equations handling the basic expressions and x, and the 
operation (+) : 

op _ ' [_/_ ' ] : Exp Exp FixpVar -> Exp . 
eq phi [ E : Exp / X : FixpVar ] = phi . 

ceq Y: FixpVar [ E:Exp / X: FixpVar ] = E:Exp if (X: FixpVar == Y: FixpVar) . 
eq Y: FixpVar [ E:Exp / X: FixpVar ] = Y: FixpVar [owise] . 
eq (El: Exp (+) E2:Exp) [ E:Exp / X: FixpVar ] = 

(El: Exp [E:Exp / X: FixpVar]) (+) (E2:Exp [E:Exp / X: FixpVar]) . 

In order to avoid matching problems and to overpass the fact that in Maude 
one cannot handle an equation that has fresh variables in its right-hand-side 
(i.e., they do not appear in the left-hand-side), we replace expression variables 
with parameterized constants: op var : Nat -> FixpVar . The operation that 
obtains this canonical form has an inductive definition on the structure of the 
given expression and makes use of the substitution operation presented above. 
For this reason, the bisimulation CIRC builds contains parameterized constants 
instead of the user declared variables. The property proved in Example U] is, 
therefore, written as: 

\mu var(2) . r [a({var (2) })] (+) r[a({\mu var(l) . r [phi] (+) 
r[a({r[phi] (+) var(l)})] (+) r [b({r [phi] })] (+) r[b({r[phi] (+) 
r[b({l[l]})]})]})] (+) r[b({r[phi] (+) phi})] (+) r [b({r [b({l [1] })] })] 

\mu var(l) . r [a({var (1) })] (+) r [b({r [phi] })] (+) 
r[b({r[phi] (+) r[b({l[l]})]})] 

The most important part of the algebraic specification consists of the equa- 
tions defining the operations <5_(_), Plus -(-, -), and Empty. Most of these equa- 
tions are implemented as presented in [23| . The only difficulties we encoun- 
tered were for the exponentiation Maude does not handle higher-order 
functions. Without entering into details, as a workaround, we introduced a 
new sort Function < ExpStruct and an operation \ . : ExpoCase Alph Functor 
ExpStruct -> Function in order to emulate function-passing. The first argument 
is used to memorize the origin where the exponentiation ingredient is encoun- 
tered: d, Plus, or Empty. Its purpose is purely technical - we use it in order to 
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avoid some internal matching problems. The other three parameters are those 
of the structured expression A. (a, J < S, <j) presented in Section[4] a letter in the 
alphabet, an ingredient, and some other structured expression. 

Another thing worth describing is the way we enable CIRC to prove equiva- 
lences when the powerset functor occurs. Namely, we present how intcrpolant 
(fT!)|) is implemented. Recall that we want to show that two sets of expressions 
arc equivalent, which means that for each expression in the first set there must 
be an equivalent one in the second set and vice-versa. 

In order to handle sets of structured expressions we introduce a new sort, 
ExpStructSet as a supersort for ExpStruct. We also consider the set separator 
_,_ : ExpStructSet ExpStructSet -> ExpStructSet [assoc , comm] , the empty set 
emptyS : -> ExpStructSet, and the set wrapping operation {_} : ExpStructSet 
-> ExpStruct. In order to mimic universal quantification over a set, we use a 
special constant referred to as token " [/] " . In what follows, we consider two vari- 
ables of sort ExpStructSet: ES and ES', and two variables of sort ExpStructSet: 
ESS and ESS ' . We now describe the process of finding the equivalence between 
two sets: 

• whenever encountering two wrapped expression sets we add the universal 
quantification token to each of them in two distinct goals: 

srl {ESS} = {ESS'} => { [/] ESS} = {ESS'} A {ESS} = { [/] ESS'} . 

• iterate through the expressions on the left-hand-side (similarly for the 
other direction): 

srl {[/] (ES , ESS)} = {ESS'} => 

{[/] ES} = {ESS'} A {[/] ESS} = {ESS'} . 
srl {ESS} = {[/] (ES' , ESS')} => 

{ESS} = {[/] ES'} A {ESS} = {[/] ESS'} . 

• when left with one expression on the left-hand-side, start iterating through 
the expressions on the right-hand-side until finding an equivalence (simi- 
larly for the other direction): 

srl {[/] ES} = {ES' , ESS'} => ES = ES' \/ { [/] ES} = {ESS'} . 
srl {ES , ESS} = {[/] ES'} => ES = ES' \/ {ESS} = { [/] ES'} . 

• if no equivalence has been found, transform the current goal into a visible 
failure: 

srl {ESS} = emptyS => true = false . 
srl emptyS = {ESS} => true = false . 

Finally, the type checker for structured expressions has a straightforward 
implementation. Its code does not appear in the generated specification as it 
is only used when the tool receives the expressions as input. This prevents 
obtaining the specification and starting the prover in case invalid expressions 
are provided. 
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7. Discussion 



One of the major contributions of this paper is that we provided a decision 
procedure for the bisimilarity of generalized regular expressions. In order to 
enable the implementation of the decision procedure, we have exploited an en- 
coding of coalgebra into algebra, and we formalized the equivalence between the 



coalgebraic concepts associated to non-deterministic coalgebras [23J and their 
algebraic correspondents. This led to the definition of algebraic specifications 
(£g) that model both the language and the coalgebraic structure of expressions. 
Moreover, we defined an equational deduction relation (\~ndf), used on the 
algebraic side for reasoning on the bisimilarity of expressions. 

The most important result of the parallel between the coalgebraic and al- 
gebraic approaches is given in Corollary [TJ which formalizes the definition of 
the bisimulation relations in algebraic terms. Actually, this result is the key for 
proving the soundness of the decision procedure implemented in the automated 



prover CIRC |14[. As a coinductive prover, CIRC builds a relatio n T clo sed un- 



der the application of <5g with respect to \~ndf (£3 \~ndf ), hence 

automatically computing a bisimulation the initial proof obligations belong to. 

The approach we present in this paper enables CIRC to perform reasoning 
based on bisimulations (instead of experiments [l7|). This way, the prover 
is extended to checking bisimilarity in a large class of systems that can be 
modeled as non-deterministic coalgebras. Note that the constructions above 
are all automated - the (non-trivial) CIRC algebraic specification describing 
£g, together with the interpolants implementing \~ndf are generated with the 
Maude tool presented in Section [SJ 

We now mention some of the existing coalgebraic based tools for proving 
bisimilarity and the main differences with the tool presented in this paper. Co- 
Casl @ and CCSL [l^| are tools that can generate proof obligations for theorem 
provers from coalgebraic specifications. In 0] several tactics for interactive and 
automatic bisimulation building are implemented in Isabelle/HOL and are used 
to derive bisimilarities for translated specifications from CoCasl. The main dif- 
ference between our tool and CoCasl or CCSL is that, given a functor, the tool 
derives a specification language for which equivalence is decidable (that is, it is 
automatic and not interactive) . CIRC [H [l^ , on top of which the current tool 
is built, is based on hidden logic and uses a partial decision procedure for 
proving bisimilarities via implicit construction of bisimulations. Our tool can be 
seen as an extension of CIRC to a fully automatic theorem prover for the class 
of non-deterministic coalgebras. We stress the fact that the focus of this paper 
was on a language for which equivalence is decidable. Tools such as CoCasl, 
CCSL or CIRC have a more expressive language, where one can, for instance, 
specify streams which in our language could not be specified (intuitively, the 
streams we can specify in our language are eventually periodic). In those tools 
decidability of equivalence can however not be guaranteed. 

There are several directions for future work. 

Extending the class of systems to include quantitative coalgebras (such as 
weighted automata and Markov chains) will enlarge the scope of applicability of 
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the tool. The challenge in this extension arises from the fact that the definition 
of expressions for quantitative coalgebras involving the distribution monad is not 
as modular as for the other functors (for details see [22| ) ■ This is a consequence 
of the fact that the sum of two valid expressions might not be a valid expression 
anymore (since in distributions we require that the sum of probabilities add up 
to 1). Moreover, calculating bisimulation relations in the quantitative setting 
will encompass metric manipulation, which is currently not implemented in 
CIRC. 

To improve usability, building a graphical interface for the tool is an obvious 
next step. The graphical interface should ideally allow the specification of ex- 
pressions by means of systems of equations (which are then solved internally) or 
even by means of an automaton, which would then be translated to an expres- 
sion using Kleene's theorem. We also would like to explore how adding more 
axioms than ACI to the prover (that is, each step of the bisimulation checking is 
performed modulo more equations) improves the performance. Our experience 
so far shows that by adding the axiom for the distribution of the expression 
through the constructors, i.e. © e = e, the prover works significantly faster. 

We have not yet studied complexity bounds for the algorithms presented in 
this paper. We conjecture however that the bounds will be very similar to the 
already known for classical regular expressions 13 , 2f| . Further explorations in 
this direction arc left as future work. 
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